[Snort-users] (no subject)

Marc Quibell mquibell at ...7759...
Mon Sep 22 13:36:25 EDT 2003


Yes, I had suggested it was a router, since they were ICMP  "unreachable"
errors, and usually it's the routers responding. Is this a worm or something
randomly searching IPs for port 138? Sorry, I overlooked the fact that you had
destinations in the packets as well...

Maybe you can put on your Cisco routers "no ip directed broadcasts" and it will
help?

Marc





roesch at ...1935... on 09/22/2003 02:48:24 PM

To:   "Edward Marshall" <edtech at ...9974...>
cc:   Marc Quibell/FBFS at ...7813..., snort-users at lists.sourceforge.net

Subject:  Re: [Snort-users] (no subject)



That looks like something responding on the broadcast to broadcast
netbios-dgm traffic, did you get the MAC address of the source side of
the packets?  Some device on the network is feeling empowered to answer
for  broadcast traffic....

      -Marty

On Thursday, September 18, 2003, at 09:22  PM, Edward Marshall wrote:

> Hi Marc, in response to your question on my problem (Broadcast
> addresses
> showing up as a source IP address??? 192.168.2.255 & 255.255.255.255),
> I
> have included in this email, 4 alert messages, as an example of what
> snort is detecting and logging in the log file called ALERT:
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255:
> 6
> targets 6 ports in 45 seconds [**]
> 07/29-11:03:54.973312 255.255.255.255 -> 192.168.2.217
> ICMP TTL:64 TOS:0x0 ID:19157 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.217:138 -> 255.255.255.255:138
> UDP TTL:255 TOS:0x0 ID:7551 IpLen:20 DgmLen:229
> Len: 201
> ** END OF DUMP
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 255.255.255.255:
> 6
> targets 6 ports in 79 seconds [**]
> 07/29-13:40:20.891202 255.255.255.255 -> 192.168.2.146
> ICMP TTL:64 TOS:0x0 ID:47418 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.146:138 -> 255.255.255.255:138
> UDP TTL:255 TOS:0x0 ID:26601 IpLen:20 DgmLen:229
> Len: 201
> ** END OF DUMP
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6
> targets 6 ports in 53 seconds [**]
> 07/29-09:55:31.003547 192.168.2.255 -> 192.168.2.55
> ICMP TTL:64 TOS:0x0 ID:34116 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.55:138 -> 192.168.2.255:138
> UDP TTL:128 TOS:0x0 ID:8463 IpLen:20 DgmLen:229
> Len: 201
> ** END OF DUMP
>
>
> [**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.2.255: 6
> targets 6 ports in 34 seconds [**]
> 07/29-09:56:17.455466 192.168.2.255 -> 192.168.2.69
> ICMP TTL:64 TOS:0x0 ID:52213 IpLen:20 DgmLen:68
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.2.69:138 -> 192.168.2.255:138
> UDP TTL:32 TOS:0x0 ID:35585 IpLen:20 DgmLen:231
> Len: 203
> ** END OF DUMP
>
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Marc
> Quibell
> Sent: Thursday, September 18, 2003 9:51 AM
> To: snort-users at lists.sourceforge.net
> Cc: edtech at ...9974...
> Subject: [Snort-users] (no subject)
>
>
>
> Broadcast addresses can't show up as a source. Must be your reporting
> is
> a
> little whacky...What are the destinations?
>
> Marc
>
>> Message: 2
>> From: "Edward Marshall" <edtech at ...9974...>
>> To: <snort-users at lists.sourceforge.net>
>> Date: Thu, 18 Sep 2003 05:59:43 -0400
>> Subject: [Snort-users] Broadcast address???>
>
>> This is a multi-part message in MIME format.
>
>> ------=_NextPart_000_0001_01C37DAA.0F55F630
>> Content-Type: text/plain;
>      charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>
>> Hi Guys, after running Snort 2.0.1 on a corporate network
> 192.168.2.0/24
>> for a week, I used Sawmill to analyze the Snort log files (Alert,
>> Portscan.log and Scan.log).
>> I noticed that the following source IP addresses showed up
> 192.168.2.255
>> (with 6,296 hits) and 255.255.255.255 (with 626 hits). My question is,
>> isn't these two IP addresses - broadcast addresses???  How can a
>> broadcast address show up as a source IP address???
>
>> Any assistance would be greatly appreciated!!!
>
>
>> Thanks
>
>> Eddie
>
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
--
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org









More information about the Snort-users mailing list